WASHINGTON--One senior Democratic lawmaker is calling on President Obama to make it clear to China's President Xi Jinping that the United States is ready to "impose real costs" on China if they continue to steal American intellectual property.

Sen. Carl Levin D-Mich., suggested that Obama, who is scheduled to hold two days of meetings with Xi next week in California, underscore to the newly installed Chinese president that the Senate is moving forward with legislation that would create a watch list of foreign countries that engage in economic or industrial espionage in cyberspace.

If passed, the bill, which is co-sponsored by Levin, would require the president to block imports of certain foods from countries, if he determines they benefited from stolen U.S. technologies or intellectual property.

"I though your could refer to this bill in your meeting with President Xi as an example that the U.S. will indeed impose real costs on China should they continue to steal our intellectual property," Levin wrote in a letter to Obama that was released by the Michigan lawmaker's office Wednesday.

Levin's push comes as cyber-security has become a growing source of tension between the two countries.

This week, The Washington Post published parts of a confidential defense report accusing Chinese hackers of compromising some of the most sensitive and advanced US weapons systems.

In March, Obama's national security adviser, Tom Donilon, called on China's government to take action to stop the theft of data from American computer networks and create global standards for cyber-security. Donilon visited Beijing this week and underscored U.S. concerns about cyber-security during wide-ranging talks with senior Chinese officials, according to the White House.

White House spokesman Jay Carney said Wednesday that cyber-security would be one of several topics Obama would discuss with Xi, when they meet June 7 and 8 at hte Sunnylands estate in Rancho Mirage, Calif.

"We've been clear in our concern about cyber-security, and our concern about the fact that there have been cyber-intrusions emanating from China," Carney said.

The two days of meetings between Obama and Xi will mark the first meeting between the two leaders since Xi took office in March.

A rise in the number of phishing emails sent to Oxford students' accounts, causing the university to block Google Docs temporarily

Disabling Google Docs, a website for storing documents online, was a measure taken to prevent emails which appear to be from University officials. Students are increasingly targeted by hackers seeking their account details as university accounts can be used to send spam emails and appear legitimate.

In a blog post on their website, OxCERT (Oxford University Computing Service) explained the decision to block Google Docs, saying, "Over the past few weeks there has been a marked increase in phishing activity against our users. Now, we may be home to some of the brightest minds in the nation. Unfortunately, their expertise in their chosen academic field does not necessarily make them an expert in dealing with such mundane matters as emails...It only takes a small proportion to respond for the attacks to be worthwhile."

The blog post continued, "Almost all the recent attacks have used Google Docs URLs...We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action."

A Google spokesperson defending Google Docs, telling Cherwell, "Google actively works to protect our users from phishing attempts. Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes."

Phishing through Google Docs is part of a wider increase in the practise within the University. In an email to Oxford students, Professor Paul Jeffreys, Oxford's Director of IT Risk Management, warned, "You may recently have received fraudulent emails asking you to visit a website to supply your username and password, or requesting you send them email...There have been a very large number of such emails sent recently...Don't be tricked into handing over your password as a result of these emails."

Several undergraduates received phishing emails last week which claimed, "You will be unable to send and receive mails and your email account will be deleted from our server. To avoid this problem, you are advised to verify your email account by filling this manual [sic.] information." A link to a Google Doc for student usernames followed.

The amount of other spam emails reaching Oxford students has also increased. Undergraduates have received three emails from the websites 'Lashzone' and 'Lashxone' with the most recent being sent on Saturday 23rd February. Their website states, "We offer professional assistance on post-secondary homework, assignments, essays, lab reports, assignment revision...etc. You get the idea?"

A University spokesperson commented, "While Oxford University has extensive anti-spam defences in place, spammers are constantly adapting their tactics to evade our countermeasures. IT Services have to balance the risks of spam attacks against the risks of disruption to legitimate email traffic. Unfortunately this means that it is inevitable that some spam will get through the defences--this particular set of messages was just one of hundreds of spam runs that hit the University each day, and often many runs come from the same source.

Regarding emails from Lashzone, the university stated, "IT Services have been in contact with the Proctors' Office regarding the mails from Lashzone. We are satisfied that reasonable technical countermeasures are in place, but these are continually reviewed in view of evolving threats."

When pressed about criticism from universities, a Lashzone spokesperson commented, "We smile and walk on."

Data Privacy Day is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone's priority.

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. The Day commemorates the 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is a celebration for everyone and held on January 28th every year.

In our online world, data is free flowing. All of us--from home computer users to the largest corporations--need to be aware of the personal and private data others have entrusted us and remain vigilant and proactive about protecting it.

Being a good digital citizen means being a good steward of data. Data Privacy Day is an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone's priority.

Data Privacy Day is led by the National Cyber Security Alliance, a non-profit, public private partnership focused on cyber security education for all online citizens.

Justi Montaguejdmontague1@cougars.ccis.eduhappydataprivacyday1https://sites.google.com/feeds/content/cougars.ccis.edu/cougarsecurity/30959653992190438562012-11-21T18:03:23.015Z2012-11-21T19:50:02.432Z2012-11-21T19:50:01.615ZMcAfee Warns Consumers of the "Twelve Scams of Christmas"

Cyber-Scrooges Work Overtime During Holiday Season and on Black Friday/Cyber Monday, New Threats Hit Mobile, Email and the Web

Santa Clara, Calif. --November 9, 2011 - 'This the season for consumers to spend more time online - shopping for gifts, looking for a great holiday deals on new digital gadgets, e-planning family get-togethers and of course, using online or mobile banking to make sure they can afford it all. But before logging on from a PC, Mac, or mobile device, consumers should look out for the "12 Scams of Christmas," the dozen most dangerous online scams this holiday season, revealed today by McAfee.

"With the increase in malware and other attacks on smartphones, tablets and Macs, users need to stay vigilant and ensure they protect all of their devices, not just their home PC--they can't afford to leave the door open to cyber grinches during the busy holiday season." "Cybercriminals rub their hands with glee when they think of the holidays," said Gary Davis, direct of consumer product marketing at McAfee. "Consumers are making travel plans, shopping for gifts and bargains, updating Facebook and connecting with friends. However, the vast majority have no security protection for their smartphones or tablets, despite using them heavily during the holiday season. Consumers need to stay one step ahead of this season's cyber-scrooges, and make sure they have protection for all of the Internet-enabled devices. Otherwise, they could risk giving the bad guys the biggest gift of all - their own personal and financial information. "

McAfee's 12 Scams of Christmas

1. Mobile Malware: A recent National Retail Federation (NRF) survey, dated October 19, found that 52.6 percent of U.S. consumers who own a smartphone said they will be using their device for holiday-shopping related activities--whether it's to research products, redeem coupons, or purchase holiday gifts. Malware targeted at mobile devices is on the rise, and Android smartphones are most at risk. McAfee cites a 76 percent increase in malware targeted at Android devices in the second quarter of 2011 over the first, making it the most targeted smartphone platform.

New malware has recently been found that targets QR codes, a digital barcode that consumers might scan with their smartphone to find good deals on Black Friday and Cyber Monday, or just to learn about products they want to buy.

2. Malicious Mobile Applications - These are mobile apps designed to steal information from smartphones, or send out expensive text messages without a user's consent. Dangerous apps are usually offered for free, and masquerade as fun applications, such as games. For example, last year, 4.6 million Android smartphone users downloaded a suspicious wallpaper app that collected and transmitted user data to a site in China.

3. Phony Facebook Promotions and Contests- Who doesn't want to win some free prizes or get a great deal around the holidays? Unfortunately, cyberscammers know that these are attractive lures and they have sprinkled Facebook with phony promotions and contests aimed at gathering personal information.

4. Scareware, or Fake Antivirus Software: Scareware is the fake antivirus software that tricks someone into believing that their computer is at risk--or already infected--so they agree to download and pay for phony software. This is one of the most common and dangerous Internet threats today, with an estimated one million victims falling for this scam each day. In October 2012, McAfee reported that scareware represented 23% of all dangerous internet links, and it has been resurgent in recent months.

5. Holiday Screensavers - Bringing holiday cheer to your home or work PC sounds like a fun idea to get into the holiday spirit, but be careful. A recent search for a Santa screensaver that promises to let you "fly with Santa in 3D" is malicious. Holiday-themed ringtones and e-cards have been known to be malicious too.

6. Mac Malware-Until recently, Mac users felt pretty insulated from online security threats, since most were targeted at PCs. But with the growing popularity of Apple products, for both businesses and personal use, cybercriminals have designed a new wave of malware directed squarely at Mac users. According to McAfee LabsTM, as of late 2010, there were 5,000 pieces of malware targeting Macs, and this number is increasing by 10 percent month to month.

7. Holiday Phishing Scams- Phishing is the act of tricking consumers in to revealing information or performing actions they wouldn't normally do online using phony e-mail or social media posts. Cyberscammers know that most people are busy around the holidays so they tailor their emails and social messages with holiday themes in the hopes of tricking recipients into revealing personal information.

A common holiday phishing scam is a phony notice from UPS saying you have a package and need to fill out an attached form to get it delivered. The form may ask for personal or financial details that will go straight into the hands of the cyberscammer.

Banking phishing scams continue to be popular and the holiday season means consumers will be spending more money--and checking bank balances more often. From July to September of this year, McAfee Labs identified approximately 2,700 phishing URLs per day.

Smishing -SMS Phishing- remains a concern. Scammers send their fake messages via a text alert to a phone, notifying an unsuspecting consumer that his bank account has been compromised. The cybercriminals then direct the consumer to call a phone number to get it re-activated--and collects the user's personal information including Social Security number, address, and account details.

8. Online Coupon Scams - An estimated 63 percent of shoppers search for online coupons or deals when they purchase something on the Internet, and recent NRF data (October 19, 2011) shows that consumers are also using their smartphones (17.3 percent) and tablets (21.5 percent) to redeem those coupons. But watch out, because the scammers know that by offering an irresistible online coupon, they can get people to hand over some of their personal information.

One popular scam is to lure consumers with the hope of winning a "free" iPad. Consumers click on a "phishing" site, which can result in email spam and possibly dealing with identity theft.

Consumers are offered an online coupon code and once they agree, are asked to provide personal information, including credit card details, passwords and other financial data.

Secretary Napolitano says a reserve of security pros is needed because a major cyberattack could make this week's hurricane damage look mild.

The damage to the electrical grid from Superstorm Sandy is just a taste of what could happen from a major cyberattack, says Department of Homeland Security (DHS) Secretary Janet Napolitano.

And a DHS task force said this week that one way to minimize that kind of risk is to recruit a "Cyber Reserve" of computer security pros that could be deployed throughout the country to help the nation defend and recover from such an attack.

Napolitano and other high government officials have been preaching about the escalating threats, particularly from hostile nation states like Iran, Russia and China, for some time.

The Hill reported that at a cybersecurity event hosted by the Washington Post, Napolitano said while recent news has been about financial institutions being hit with Distributed Denial of Service (DDoS) attacks, the nation's control systems for major infrastructure like utilities and transportation infrastructure were also being targeted.

The Secretary used Hurricane Sandy to make the point. "If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities," Napolitano said.

Government officials have been invoking the Pearl Harbors image for years. Defense Secretary Leon Panetta did it again just a few weeks ago, saying in a speech in New York that such an attack would, "cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability."

For good measure, he also called it a "pre-9/11 moment."

The security community is divided over the depth of the threat. Most experts say they are real, but not at the level of a catastrophic military attack.

Bruce Schneier, author and chief security technology officer at BT, told CSO Online this year: "Throughout history, the definition of a 'major war' has involved casualties in the hundreds of thousands. That means dead people."

Panetta did invoke the risk of dead people. "[Attackers could] derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals," he said. "They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country."

Patrick Lambert wrote in a TechRepublic blog post that while the scenarios painted by Panetta are horrifying, "there's no way to accomplish them solely via the Internet. Most things have to be done on site, and any critical systems shouldn't be connected directly to the 'Net in the first place."

John Felker, a retired Coast Guard captain and vice president of cyber programs at SCI Consulting Services, who believes Panetta is right, said: "Those systems were closed--site specific--when they were put in place a long time ago," he said. But now they are Internet facing. "It's cheaper that way, but they are also more vulnerable."

"Absolutely--no question about it. I've seen the ones and zeros, so I know," Felker said. "Depending on the attack, could it be worse than Sandy, not only from the risk to life, but the economy. If there is no electricity, a lot of those things don't get done."

Could a "Cyber Reserve" mitigate the threat? DHS Deputy Secretary Jane Holl Lute believes that until DHS can improve its in-house capabilities, a reserve is the way to go.

Jim Finkle reports at Reuters that the Deputy Secretary hopes to have a working model for a Cyber Reserve within a year, with the first members drawn from retired government employees now working for private companies, but also recruit from Department of Defense contractors, veteran's organizations and outside groups.

The management of such a reserve of security pros could be tricky, however, since it would involve security clearances and allowing people access to confidential information and tools that could leak into the wild unless they were tightly controlled.

"This has been talked about before," Felker said. "There are a lot of plusses and a lot of minuses. The big question is what authorities do they operate under. How do you get them to do what you want?"

"We know [experts are] out there. But you have to have somebody managing the program that is very comfortable with ambiguity. Gen. [Keith] Alexander [head of the National Security Agency] is probably somebody who could do it."

Felker said the security risks from reservists themselves are probably small. "It depends what kind of access you give them. Some of those [cyber] tools don't go outside unless it's under very controlled conditions," he said.

However, even if the U.S. does get a Cyber Reserve up and running within a year, it will still late to the party. Steve Elwart, writing in WND, noted that Estonia has a "white-hat hacker organization" that supports the country's National Guard; the that the U.K. is developing a program; and that China is, "actively recruiting a vast [cyber] army of up to one-half billion soldiers."

An anonymous teen techie who goes by the name Pinkie Pie won a prize at a hacker conference Wednesday by exposing problems in Chrome.

A hacker who found a flaw in Google's Chrome browser was able to make some serious cash from the security breach--paid for by Google itself.

The anonymous teen techie, who goes by the name Pinkie Pie, cracked a problem in Chrome and won a $60,000 prize from Google during a hacker conference Wednesday in Kuala Lumpur.

This is the second successful hack for Pinkie Pie this year, after he took home his first $60,000 prize in March.

"Congrats to Pinkie Pie, returning to the fray with another beautiful piece of work!" Google Chrome engineer Jason Kersey wrote on the company's official blog on Wednesday, adding the team is "delighted at the success" of the hacker conference and looks forward to improving the browser based on new knowledge uncovered during the event.

Google engineer Chris Evans praised the teen's work, and said that Chrome was able to fix the bugs in less than 10 hours after they were discovered.

"We'd like to thank Pinkie Pie for his hard work," Evans wrote on the Chromium Blog on Wednesday, promising a more detailed look at the hack and Chrome's solutions once the issue has been resolved for most users.

Though his identity has not been revealed to the public, Google officials have said they know who he is. His alias is the name of a popular "My Little Pony" character.

Google regularly runs contests for hackers who can expose bugs in Chrome, in an effort to make the browser more secure.

In August, the company announced it would give up to $2 million in prizes to engineers who could find holes in their system, following a similar contest in February during which they offered up to $1 million in prizes.

The $60,000 that Pinkie Pie won is given out to those who can find a "Full Chrome exploit"--a flaw that exists exclusively in the Chrome browser.

Kelihos, thought to have infected around 41,000 computers across the globe, is dealt with.

Microsoft has announced another success in its drive to take down botnets. The company used “legal and technical measures” in “Operation b67” as it was codenamed (hmm, snappy moniker – ed), to take down the Kelihos botnet. Kelihos is not as big as the Rustock botnet, but MS says that its takedown “represents a significant advance” in their fight. This is because it’s the first time that MS has “named a defendant in one of its civil cases involving a botnet”. This, they say, sends a “strong message” to botnet creators and controllers and should they attempt to rebuild the botnet then further action will always be taken.

The civil case alleges that Dominique Piatti and John Does owned a domain which they used to register subdomains in order to operate Kelihos. Whilst MS say that some were used for legitimate reasons, many were being used “for questionable purposes with links to a variety of disreputable online activities.” This includes one which hosted the scareware MacDefender, which infects Apple’s OS with rogue software. However, the main purpose of many of their subdomains was to control the botnet, which was used for a variety of purposes including spam, stealing information, stock scams and “websites promoting the sexual exploitation of children.” MS obtained a restraining order on September 22nd which allowed them to cut the connections between the botnet and the zombie computers it controlled.

They then served Piatti, who lives in the Czech Republic, with notice of the suit and are now attempting to locate the other John Does in order to serve them too. MS says that actually naming a defendant is a “big step forward” as it helps them to protect customers and the MS platform. It also goes some way to making domain providers aware that they should know more about their customers and their activities. They also hope that this will raise the cost of cybercrime to the criminal, making it harder for them to start up and operate, therefore reducing the problem.

MS also point out that more regulation is needed in the industry to ensure that domain owners can be held accountable if subdomains are being used for illegal purposes. Kelihos is thought to have infected around 41,000 computers across the globe, even though it is considered to be a relatively small botnet. MS says that it will work with ISPs and Community Emergency Response Teams (CERTs) to clean up computers which are infected with botnet malware.

They have already added the Win/32 Kelihos family to the latest release of the Malicious Software Removal Tool.

Phillip Armstrongprarmstrong1@cougars.ccis.edumicrosofttakesdownkelihosbotnet2https://sites.google.com/feeds/content/cougars.ccis.edu/cougarsecurity/75086055862716306122010-09-29T18:16:10.336Z2010-09-29T18:16:33.747Z2010-09-29T18:16:33.704ZInteresting fact of the week

Origins
of the Word "Phishing"

The word "phishing" comes from
the analogy that Internet scammers
are using email lures to "fish" for passwords and
financial data
from the sea of Internet users. The term was coined in
the 1996
timeframe by hackers who were stealing America On-Line
accounts
by scamming passwords from unsuspecting AOL users. The
first
mention on the Internet of phishing is on the alt.2600
hacker
newsgroup in January 1996, however the term may have
been used
even earlier in the printed edition of the hacker
newsletter "2600".

"Ph" is a common hacker replacement for "f", and is a
nod to
the original form of hacking, known as "phreaking".
Phreaking
was coined by the first hacker, John Draper (aka.
"Captain Crunch").
John invented "hacking" by creating the infamous Blue
Box, a
device that he used to hack telephone systems in the
early 1970s.

This first form of hacking was known as "Phone
Phreaking". The
blue box emitted tones that allowed a user to control
the phone
switches, thereby making long distance calls for free,
or billing
calls to someone else's phone number, etc. This is in
fact the
origin of a lot of the "ph" spelling in many hacker
pseudonyms
and hacker organizations.

By 1996, hacked accounts were called "phish", and by
1997 phish
were actually being traded between hackers as a form of
currency.
People would routinely trade 10 working AOL phish for a
piece
of hacking software that they needed.

Over the years, phishing attacks grew from simply
stealing AOL
dialup accounts into a more sinister criminal
enterprise. Phishing
attacks now target users of online banking, payment
services
such as PayPal, and online e-commerce sites. Phishing
attacks
are growing quickly in number and sophistication. In
fact, since
August 2003, most major banks in the USA, the UK and
Australia
have been hit with phishing attacks.

Thanks to the TrendMicro Blog for this informative article about social networking sites and their dangers:

Due to their ever-growing popularity, social networks have been a continuous target of cybercriminals to proliferate their malicious schemes. TrendLabsSM received samples of another Facebook spam, this time also taking advantage of the popular micro-blogging site, Twitter.

The mail, which poses as a Facebook notification message, uses adult-themed strings to lure users into opening the attachment. The .ZIP file attachment, Twitter.zip, contains the file twitter.html, which has an embedded malicious script that Trend Micro detects as JS_REDIR.AE.

Ken Akerskmakers@cougars.ccis.eduspammerstargetfacebookandtwitter1https://sites.google.com/feeds/content/cougars.ccis.edu/cougarsecurity/53002695504432285642010-06-02T12:17:15.072Z2010-06-02T12:19:17.580Z2010-06-02T12:19:17.566ZSome Good News on the Scareware Front

IDG News Service - Three men are facing federal fraud charges for allegedly raking in more than US$100 million while running an illegal "scareware" business that tricked victims into installing bogus software.

Two of the men, Bjorn Sundin and Shaileshkumar Jain, operated an antivirus company called Innovative Marketing, which sold products such as WinFixer, Antivirus 2008, Malware Alarm and VirusRemover 2008. The third man charged, James Reno, ran Byte Hosting Internet Services, the company that operated Innovative Marketing's call centers.

The company's products generated so many consumer complaints that the FTC brought a civil action against Innovative Marketing and Byte Hosting in 2008, effectively putting them out of business.

On Wednesday, a grand jury in Chicago handed down the criminal charges, meaning the three men now face jail time if convicted.

Reno is expected to turn himself in for arraignment, the U.S. Department of Justice said in a press release Thursday. Authorities believe that Jain and Sundin are living in Ukraine and Sweden, respectively.

In a September 2009 e-mail to the IDG News Service, Reno said he was a young and naïve businessmen who was taken advantage of by Innovative Marketing. "I made some mistakes, of course," he said, "however they kept us in the dark on a lot of their operation."

According to prosecutors, Innovative Marketing set up fictitious advertising agencies that would buy online inventory from media companies, pretending to represent legitimate companies. They then pushed out ads with hidden computer code that generated scary-looking pop-up messages, designed to look like operating system errors or antivirus scans.

The end result was always the same. To get rid of the pop-up warnings, users would have to buy Innovative Marketing's worthless software, prosecutors allege.

Byte Hosting's call centers were then used to "deflect complaints from victims who purchased Innovative Marketing software products," the Department of Justice (DoJ) said.

The scheme convinced victims in more than 60 countries to buy more than 1 million bogus programs, the DoJ said.

All of the major browsers on Windows and Mac OS X are vulnerable to the attack.

Aza Raskin, Firefox's creative lead, spelled out the scenario, which is striking in its assumption: Most people keep multiple tabs open, often for long periods.

Raskin's technique requires that identity thieves trick users into visiting a malicious or compromised site -- no problem in today's spam- and scam-infected online world. They can then use JavaScript to quietly change the contents and label of an open-but-not-active tab to resemble the log-in screen of a bank or credit card company or Amazon.com or Gmail.

There is a report today of FakeAV malvertisements (malware distributed via advertising sites) within the Hotmail and Live.com advertiser suite. We know several MOREnet members host their e-mail on Live.com and many people use Hotmail on a regular basis. Remind your users that you have real Anti-Virus installed on your organization-owned computers. If you provide wireless access to users for connecting their own systems, remind them not to click on Fake Anti-Virus ads that may popup from visiting these sites.

stopmalvertising.com/malvertisements/alert-several-websites-hit-by-malvertisements has more information at the bottom of the page.

Ken Akerskmakers@cougars.ccis.edufakeantivirusadsviahotmail1https://sites.google.com/feeds/content/cougars.ccis.edu/cougarsecurity/84121198454711393202010-05-07T12:30:15.542Z2010-05-07T12:34:47.432Z2010-05-07T12:34:47.430ZSocial Engineering the "Traditional" way

Following up on yesterday's social engineering post, the banking scammers don't just rely on ZBot -- the good old "paper based" advance fee or fake letter approaches still work, too.

ISC reader David, for example, got a fedex envelope with an unexpected check over 2'850$, with him as recipient. Diligent security specialist that he is, he called the issuing bank .. and found out that the account against which the check was drawn had zero funds. The way this works is that the bad guys follow up the first letter with a second, where they apologize for the mistake, ask the victim to "wire back" 2500$ and "keep the 350$ for your trouble". If you go ahead with this, by the time the check bounces, you have wired the money, and wired money is gone or at least very very hard to get back. Given that the crooks incur quite some expense and risk in this scenario (fedex isn't cheap and often traceable back to the source) they must still be making a killing out of this scam.

The second scheme is phishing via old-fashioned paper mail. You get a letter stating that "for security reasons" calling the bank now requires a pin code, included below. Follows a pin code of a length and complexity that makes it unlikely anyone would want to remember it, and two lines down, the helpful comment that the pin code can be changed by calling 1-800-whatever. You do so, and here's what happens next:

Voice: Please enter your account number, followed by the pound key [you type]Voice: Please enter your current telephone access code [you type in the access code in the letter]Voice: This access code is incorrect. Please try again. [you type - correctly again]Voice: This access code is incorrect. Please hold for an operator. [you hold]Operator: XYZ Bank, my name is QRS, how may I help you [you explain]Operator: To identify you, we have to ask a couple of security questions. What are the last four digits of your social security number ?

Yep. You get the drift. After this exchange, they have everything they need.

Lesson learned: Do not ever call "your bank" on a telephone number included in a letter, email or left on your voice mail. Get to know some employees at the bank branch you do business with, and call them with any questions you might have. Recognizing someone's voice beats a "security pin code" any day.

Always use caution when opening a zip file that is received unsolicited. One recent email received by a Columbia College employee claims to be from technology services and has an address of ccis. The email prompts the recipient to click on a zip file and follow the instructions. The email reads:

Dear Customer,

This e-mail was send by ccis.edu to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions

(C) ccis.edu

This is not from Tech services. Technology services would never send an executable file without a full explanation of the reason for the software or attachment in question. Be on the lookout for this type of social engineering scam.

Ken Akerskmakers@cougars.ccis.eduacciseduattack1https://sites.google.com/feeds/content/cougars.ccis.edu/cougarsecurity/16121853619492306552010-04-14T14:22:25.965Z2010-04-14T14:31:50.072Z2010-04-14T14:31:50.038ZWatch out for this "Social Engineering" email

Social Engineering schemes involve false emails or other electronic messages that are sent by people or groups trying to obtain your personal information..... Be Careful of variations of this email circulating around the Web and reported by various organizations..

Subject: Notice: Contract terms breached.

5 April, 2010Hello,

You are hereby put on notice that as of 7/1/2010 you are in breach of our contract dated 3/12/2007.The nature of said breach is: False Advertising, Breach of Contract, Bad faith Breach of Contract, Fraud and Deceit.It is our desire to inform you of the foregoing and afford you the opportunity to cure said breach.You may in any event be held responsible for all damages arising from said breach.

To view a copy of the complaint please visit our company website: http://---URL REMOVED---/Please use the CASE ID located at the end of the document to find the copy of the complaint.

You have until 10th of May 2010 to cure said breach, after which we will be forced to pursue further legal action.Regards,Jim Karter

CASE ID: 4322524

See a suspicious email similar to the one above? Send it to the Solution center through our self service portal.

Computerworld - A design flaw in Adobe's popular PDF format will quickly be exploited by hackers to install financial malware on users' computers, a security company argued today.

The bug, which is not strictly a security vulnerability but actually part of the PDF specification, was first disclosed by Belgium researcher Didier Stevens last week. Stevens demonstrated how a multistage attack using the PDF specification's "/Launch" function could successfully exploit a fully-patched copy of Adobe Reader.

Unlike other attacks based on rogue PDFs, Stevens' technique does not require an underlying vulnerability in Adobe's Reader or Acrobat, but instead relies on social engineering tactics to dupe users into opening a malicious PDF. In his demo, Stevens used a PDF document containing attack code that he was then able to execute using the /Launch function. Although Reader and Acrobat display a warning when an executable inside a PDF file is launched, Stevens found a way to partially modify the alert to further trick a potential victim into approving the action.

It will be easy for hackers to replicate Stevens' strategy, said Mickey Boodaei, CEO of security company Trusteer, best known for Rapport, a security service that helps online banks, brokerages, and retailers secure customers' desktops.

"Didier's information is very clear, very easy to reproduce, and the attack seems to be very effective," said Boodaei. Although Stevens did not release proof-of-concept attack code, Trusteer's engineers were easily able to duplicate his attack, including the modifications to Reader's and Acrobat's warnings.

Boodaei assumes that criminals will be able to replicate the attack -- within days, if they haven't already -- and believes that they will immediately add it to the already-in-place multi-exploit kits that they've hidden on compromised legitimate sites.

"All the infrastructure is in place," Boodaei said, citing the networks of hacked sites that criminals use to launch drive-by attacks, which typically try multiple exploits or attack vectors, in order to infect as many victims as possible. "This is just another vulnerability they can use," he said.

Adobe has acknowledged the bug, but has not yet committed to producing a patch to stymie attacks. However, the company has urged users to change Reader's and Acrobat's settings to disable the /Launch function.

In a blog post Tuesday, Adobe Reader group product manager Steve Gottwals recommended that consumers block attacks by unchecking a box marked "Allow opening of non-PDF file attachmewith external applications" in the programs' preferences panes. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.nts

Beware suspicious emails circulating Columbia College today. Tech Services has detected messages are being delivered from variuos email accounts that are disguised as ecards or messages from legitimate businesses and websites. A zip file is attached and clicking on this file can launch malware that then sends more messages to Columbia College users. Please DO NOT respond or click on the attached .zip file. Please DELETE these messages immediately.

Keep your eye on Cougar Alerts for continued updates.

Ken Akerskmakers@cougars.ccis.eduspamalertecardsfromgoogleandhallmark1https://sites.google.com/feeds/content/cougars.ccis.edu/cougarsecurity/81082613183235581692010-03-25T15:57:06.640Z2010-03-25T16:23:22.730Z2010-03-25T16:23:22.728ZWatch out for this email Scam!

A copy of an insidious email scam is making the rounds to various educational organizations and business around Missouri. Thanks to MORENET for alerting us to this attempt to get our users to click on a fake link that could do damage to your computer or scare you into revealing personal or organizational information.

From our friends at MORENET:

This email has still has tell-tale misspellings and the most obvious missing item is the location of courtroom #36. Another teachable moment for your users about security awareness. The scare tactic email is as follows:

March 24, 2010

Crosby & Higgins

350 Broadway, Suite 300

New York, NY 10013

To Whom It May Concern:

On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010.

Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36.

The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement hXXp://www.touchstoneadvisorsonline.com/lawsuit/suit_documents.doc

Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.

As Microsoft pushes out two Patch Tuesday security updates for Windows and Office Excel, the company warns that attackers are targeting a vulnerability in Internet Explorer that can be used to hijack machines.

Microsoft issued a warning March 9 for Internet Explorer users as the company pushed out its monthly round of patches to cover security holes in Windows and Microsoft Office Excel.As Microsoft pushes out two Patch Tuesday security updates for Windows and Office Excel, the company warns that attackers are targeting a vulnerability in Internet Explorer that can be used to hijack machines.Microsoft issued a warning March 9 for Internet Explorer users as the company pushed out its monthly round of patches to cover security holes in Windows and Microsoft Office Excel.

Cougar Alerts cover a lot of ground when it comes to security. Many of our alerts are just a "good to know" item that concerns security in general and can be applied at home, work and in many other contexts. But sometimes an issue more directly impacts the Columbia College community. Look for the Favorites icon to alert you of these more targeted messages.

Ken Akerskmakers@cougars.ccis.educolumbiacollegesecuritywarnings4https://sites.google.com/feeds/content/cougars.ccis.edu/cougarsecurity/84499515143483969432010-02-08T16:03:18.094Z2010-02-08T16:03:53.562Z2010-02-08T16:03:53.540ZDon't Accept Offers of "Free PC Scans" That Pop up When You Use the Internet

Secure Computers LLC paid a $1,000,000 fine for offering "free spyware scans" that told users their systems had been infected with spyware, even if the system was clean. They are not the only ones doing this — when you surf the Web you are still likely to see pop-up windows like that. Some "scans" don't just give misleading results; they actually try to install unwanted software on your PC. Often the screen pop-ups only have a "scan" button and no "cancel" or "quit" option. In fact they could interfere with your PC no matter which of the buttons you choose. Be safe: close pop-ups like this by clicking on the X in the top right corner of the browser window. Better yet, use a pop-up blocker software (http://www.vnunet.com/vnunet/news/2170208/security-firm-pay-million-false).

If an unexpected email brings you news that seems too good to be true, it is probably a spam and a scam. If you didn't request information about the product or service, it is probably a spam and a scam. If it promises to enhance parts of your body, it won't. If it promises you an easy mortgage, you can do better by visiting your bank. If it promises that you can make a fortune on a penny stock, you can't. If you are unsure, ask five friends. Chances are four of them also received the spam and you can know to steer clear.

Last year, one organization narrowly avoided a virus infestation. Alerts led them to the email in-boxes of the virus authors. To sneak in a virus, hackers used encrypted zip files, which went past filters because they couldn't be scanned. The organization caught it with the very last line of defense — desktop antivirus software, which triggered after the users had plugged in the password to see the zip file contents! Had the bad guys written something new, instead of using off-the-shelf script kiddie code that was in standard pattern files, there could have been a major outbreak. Long story short: End-user awareness about email and attachments is every bit as important as antivirus filters and firewalls. EVERY USER is an important part of hacker defense!

Ken Akerskmakers@cougars.ccis.edujustbecauseyourcompanysspamfiltervirusfilterandotherdefensesletanemailthroughdoesntmeanitsharmless1https://sites.google.com/feeds/content/cougars.ccis.edu/cougarsecurity/58458235486157213722010-02-08T14:05:56.535Z2010-02-08T14:06:48.945Z2010-02-08T14:06:48.928ZIf you print it, go get it right away!

Dont leave important, sensitive, or confidential material lying around the office. Common printing areas are frequented by people coming and going. Often you will be in line to pick up your documents and others may handle them before you. This leads to unnecessary information disclosures. One boss had a print job disappear, and had e-mailed the whole floor about it. The pages never turned up. Always use the closest print station, or a dedicated printer for confidential information, and go get it right away!